Forum Discussion
Solved
Intune Autopilot policies
So, when you have Hybrid Azure AD and you Autopilot the devices into your domain. Do you get all the Group policies to that device applied from your domain.
Hi oryxway390,
the short answer is yes. It is a domain joined device so it wil get the gpo’s. Same as AD joined. Based on how you configure Intune, it will get from both sources policies and this can results in conflict or hard maintenance.
but the main question, is hybrid join really required? Almost all gpo settings can be configured in Intune. Drive mappings can be set via Intune.
My advice go for Azure AD Joined and only Intune. This make your life easier in my opinion.kind regards,
Rene
Hi oryxway390 , if your Autopilot devices are AAD Join only then, they will get everything (configurations, policies, restrictions, scripts, apps, etc) from Intune only. Whereas in the case of Hyb AAD Join device, it depends on the workloads:
- If all workloads are with SCCM, the device will get GPOs.
- If all workloads are with Intune, then the device is completely managed by Intune (consider using MDMWinsOverGP along with it
- If you transition the device configuration workload to Intune, it will get MDM policies, but you also might have to use MDMWinsOverGP in case of conflict in policies if you want to use MDM policies.
Ours is Hybrid AD Joined. We do not have SCCM. We use WSUS to push patches, and there are no application pushes as such as of now. We are using VDI environment so all access of applications are through VDI within the device.
As of now we are going to have devices domain joined and Hybrid AAD. So, in such scenarios how is it going to work? Wont the Intune policies/configuration profiles/app push won't it apply?
As of now we are going to have devices domain joined and Hybrid AAD. So, in such scenarios how is it going to work? Wont the Intune policies/configuration profiles/app push won't it apply?
- As you mentioned you are going to have hybd aad join so it totally depends upon you how you want to manage the environment it can be using gpo or config mgr standalone or Intune or both. You can refer this article for detailed explanation
https://docs.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid- Hi Somesh,
You said that you can co-manage. Now, we do not have configuration manager (SCCM/CM) On Prem. But, I am reading something here in one of the location about client installation properties (PROVISIONTS) - So, can we install Configuration Manager client on this newly added device through Autopilot for co-management? Is this still through Intune or ??- Hi John,
Why Hybd AAD Join? If you currently do not have SCCM, then why would you add it to your Infra? The best option is to go for AAD join, as you can manage almost everything from Intune and still access your on-prem resources from a cloud PC.
Br/
Somesh
- Well we do not have config manager. So, we want to make sure that we start managing using Intune. So, when the devices are domain joined (as earlier I worked only with AAD, so this is new for me) I am not sure how having the devices on Prem and managing it through Intune. Will the policies that I create or configuration profiles that I create will be applied to the devices on prem? How can we not allow the GPOs to be applied (just by blocking inheritance to the OU?)
I am a little bit confused as I only worked on AAD. Sorry for my stupidity of asking this.